Description of Forefront endpoint security definition updates

INTRODUCTION

The Microsoft Forefront endpoint security products listed in the Applies To section contain an antimalware agent that regularly download updates to the definition files it uses to identify viruses, spyware, and other potentially unwanted software. Forefront endpoint security agents may also periodically download detection engine updates. Microsoft delivers these updates using Microsoft Update and also Windows Server Update Service (WSUS) if available. To manually download the updates, visit the following Microsoft Web site:

More Information

Definition files

The Microsoft antimalware agent uses virus definition modules (VDMs) to store detection information about malicious software or potentially unwanted software. The antimalware agent uses the following five files during its regular operation

The MpAvBase.vdm file contains the antivirus base definition module. This file is usually updated only one time per month by Microsoft and contains the base virus information that is used to build the delta definitions.

The MpAvDlta.vdm file contains the antivirus delta definition module. This file is usually updated multiple times per day by Microsoft and contains all the changes that have occurred since the last antivirus base was created.

The MpAsBase.vdm file contains the antispyware base definition module. This file is usually updated only one time per month by Microsoft and contains the base spyware software information and other potentially unwanted software information that is used to build the delta definitions.

The MpAsDlta.vdm file contains the antispyware delta definition module. This file is usually updated multiple times per week by Microsoft and contains all the changes that have occurred since the last antispyware base was created.

The MpEngine.dll file contains the Microsoft malware protection engine. The .vdm files that were mentioned earlier are referenced by the malware protection engine that scans the system resources looking for malware. Some examples of the system resources are files, processes, and registry keys. This file is usually updated only one time per month.

Rebase definitions

Microsoft currently rebases definitions only one time per month. During the rebase process, the delta definitions are combined with the previous base definition file to form a new base file. The rebase process occurs on both the antivirus definition files and on the antispyware definition files.

Because of the rebase process, the size of the new base files typically increases from the previous month. The new base files contain the base definitions from the previous month and contain all the changes from the new delta definitions. Immediately after the rebase process, the sizes of the delta definition files reduce significantly. This behavior occurs because all the information that they previously contained is located in their respective base files.

As new malware information is generated, it is added to the delta definition files causing the size of the files to grow until the next rebase. The size of the base definition files remains the same between rebases.

Microsoft currently releases updates to the malware protection engine at the same time when Microsoft performs the rebase. This means that when the rebase process occurs, the antimalware agent will receive a new version of all five files that are mentioned in the "Definition Contents" section.

Obtaining definition updates

A customer can download the Forefront endpoint security definition updates by using any of the following three ways:

Microsoft Update

Window Server Update Services

Manual Download

File share (Forefront Endpoint Protection only)

Microsoft Update

Microsoft publishes definition updates to Microsoft Update. The Forefront endpoint security agent can download these updates directly from Microsoft by using any one of following methods:

Control Panel item for Windows Update.

In Windows Update applet, make sure it is shows “You receive updates for Windows and other products from Microsoft Updates.”

The Microsoft Update Web site.

Automatically by using the antimalware agent.

Automatically by using the Automatic Updates process.

There is detection logic associated with each update. This detection logic allows Microsoft Update to determine the current definition updates that are applied to the agent. Microsoft Update uses this information to provide only the definition update package that is most suitable for the agent. For example, a agent that has the up-to-date version of the previously published definition update downloads only a binary differential delta package and does not download the full installation package.

New definition update packages are usually published to Microsoft Update three times per day.

Windows Server Update Services

Microsoft publishes definition updates to Microsoft Update and makes them available to Windows Server Update Services. Forefront endpoint security customers who have implemented Windows Server Update Services can download these updates from Microsoft by synchronizing the Definition Update classification. Agents that report to that Windows Server Update Services server can download the definitions by using any one of the following methods:

Control Panel item for Windows Update.

Automatically by using the antimalware agent.

Automatically by using the Automatic Updates process.

Similar to Microsoft Update, there is detection logic that is associated with each update. This detection logic allows Windows Server Update Services to provide only the definition update package that is most suitable for the agent.

As described in the Rebase definitions section, the content of the base definitions and the engine do not change between rebases. For this reason, the base definitions and the engine are offered to agents once a month. For Windows Server Updates Service (WSUS), this ensures that less duplicate data is downloaded with every definition update release. When viewing file information in the WSUS administration console the list contains the packages described in the Recent Definitions section below.

New definition update packages are usually published to Windows Server Update Services three times per day. The frequency at which these updates are available to computers depends upon the frequency that the WSUS server synchronizes with Microsoft and how updates are approved for deployment.

Manual Download

Some definition updates are currently available for a manual download from Microsoft at two locations.

The following knowledge base article describes how to manually download the released definitions. These definitions usually correspond to the versions available by using Microsoft Update and by using Windows Server Update Services. Be aware that currently only the full installation packages are available.

The following knowledge base article describes how to manually download the beta definitions. These definitions are published more frequently and may not correspond to the versions published to Microsoft Update.

Updating from a file share is done by manual or scripting download of definitions from one of the sources above and placing them on a file share.

Definition updates

The type of definition update an agent performs is determined by how up-to-date it is with current definitions published by Microsoft. Agents that have updated recently will download and apply only very small changes whereas new agents will need to download the full definition installation to become up-to-date.

New Agents

Description

The full installation is generally only for new antimalware agents or for agents with definitions that have not been updated for more than a month. After download and installation, if computers are kept up-to-date they should not be required to apply the full installation again.

Size

Generally, the size is from 40-70 MB, depending on several factors. These factors include the duration since the last rebase and include the number of changes since the last rebase.

Previous Month

Description

Agents that are using files of the previous month will receive a binary delta update of the engine and base definitions. The binary delta updates contain only the parts of the base files and of the engine files that have changed since the previous version. For more information about the Microsoft binary delta update technology used in this package, view the following TechNet article: Delta Compression Application Programming Interface

Size

Generally, the size of this installation is from 1-15 MB, depending on several factors. These factors include the duration since the last rebase and include the number of changes since the last rebase. Generally, the size is from 1-8 MB, depending on several factors. These factors include the duration since the last rebase and include the number of changes since the last rebase.

Recent Definitions

Description

The vast majority of definition updates should be applied to agents that are using the engine and base files from the current month. In this situation, only the delta files (MpAvDlta.vdm and MpAsDlta.vdm) need to be updated.

Agents that are using very recent versions of the antimalware definitions will receive binary differential delta updates to the delta files. The delta installation packages use the same binary delta update technology described previously. This technology allows the package to contain only the parts of the delta files that have changed since the previous version. This binary delta update technology helps reduce the size of the update file. This occurs because the update file does not redistribute the parts of the base definition and of the engine files that are currently used by the agent. Microsoft may publish several versions of a binary delta update package. Each binary delta update package contains different content. The goal of publishing multiple package versions is to make sure that agents receive an optimized update for their current update level. Agents that are using the engine and base files from the current month, but have not updated recently enough to be eligible for the smaller delta update, will apply the entire delta files (MpAvDlta.vdm and MpAsDlta.vdm).

Size

Generally, the size ranges of the delta updates are from 50-2048 KB and the entire delta files are from 1-15 MB, depending on several factors. These factors include the duration since the last rebase and include the number of changes since the last rebase.